Currently neutron_ovs_agent_launcher.sh unconditionally
runs neutron with the default python from /usr/bin/python,
so it is impossible to force it to use python3 if
/usr/bin/python points to python2.
Make the python interpreter overridable, by reusing the
existing Heat parameter "PythonInterpreter" and honouring
its value in neutron_ovs_agent_launcher.sh
Change-Id: I43c17de81603bd41e6503dd01d6f4ef452b7d533
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
on a F28-based container image nova-libvirt fails to
start in Podman if /sys/fs/selinux is bind-mounted
from the host, with the following logs:
2019-01-16 13:41:35.375+0000: 452430: error : virSecuritySELinuxQEMUInitialize:634 : cannot open SELinux label_handle: No such file or directory
2019-01-16 13:41:35.375+0000: 452430: error : qemuSecurityInit:425 : internal error: Failed to initialize security drivers
2019-01-16 13:41:35.375+0000: 452430: error : virStateInitialize:775 : Initialization of QEMU state driver failed: internal error: Failed to initialize security drivers
2019-01-16 13:41:35.375+0000: 452430: error : daemonRunStateInit:837 : Driver state initialization failed
Perform the bind-mount only when the ContainerCli is set
to 'docker'.
Change-Id: I7a2ca4fb1ff8ea5950fd52774c648af5ef274796
Closes-Bug: #1812013
Co-Authored-By: Michele Baldessari <michele@acksyn.org>
PythonInterpreter defaults to /usr/bin/python. If a user overrides
this default, e.g. to something like python3, then we should use it.
Modify ceph-base.yml to use the PythonInterpreter parameter. The
variable will already be set to ansible_python_interpreter by the
calling ansible execution.
Change-Id: If599855c00d0ab8861ea7f873d410f9a880d35be
Closes-Bug: #1811974
The socket is only needed when ContainerCli is set to 'docker'.
It only affects mistral executor and sensu-client containers, which were
the last containers relying on the socket.
For sensu-client, it was for healthchecks and they are being replaced by
systemd so the feature parity will be here.
For mistral-executor, it's needed by tripleo-validations running docker
CLI and they will have to run podman cli instead of docker.
Change-Id: I4e3d29a6eb65d871d7a1a935fcbd7bb98e7d1752
Haproxy 1.8 brings in a specific change that breaks us:
It removes the haproxy-systemd-wrapper which
we use in order to be able to reload the config file without
restarting the whole container (important in TLS scenarios).
We fix this by calling the haproxy binary directly and
using the master-worker mode (-Ws) which allows to receive
a SIGUSR2 command which will then reload the config for
all the workers. It should also not background.
This commit keeps backward compatibility with current HAProxy
to ease the transition to new HAProxy.
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Change-Id: I93943efefa22b9107c85f9f5e0bd4c3c1ab867ed
Context: https://github.com/containers/libpod/issues/1844
We have concurrency issue when podman is enabled, where
the bind-mounted entrypoint can't be found.
This patch will retry the podman run commands 3 times before declaring
a failure.
Also, everytime it fails we'll log the number of attempts to configure
the container. So we can track these numbers in CI.
I'll allow us to keep doing concurrent calls, but with less chance
to fail with the issue #1844.
Note: we hate this patch and we hope to revert it soon. But now it's how
we'll reduce issues in CI.
Change-Id: I6af89bf54e562e7c6bbcdb82041a7274789dcf28
Related-Bug: #1811383
In order to allow the system iptables to actually run from within a container,
we might need specific, per-kernel modules in order to avoid mismatches.
Currently, the only container having the system iptables mounted is the
haproxy_firewall thingy.
Change-Id: Idabc2da14413d953c8fe9effdd240dc250e7c64d
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1665598
Implicit defaults hide issues with overring ansible variables as we
pass values in from deploy-steps.j2.
Make no implicit defaults for variables passed into deploy steps via
ansible vars. Only expect those take the values defined in the caller
deploy-steps.j2 playbook template. Add missing params and vars for
templates to propagate ansible values for external deploy/upgrade,
upgrade/update and post upgrade steps playbooks.
Make DockerPuppetDebug boolean to align with other booleans we pass
into deploy steps via ansible vars. Fix its processing in
docker-puppet.py, which is defaults for DockerPuppetDebug: ''
converted into 'false' in deploy steps tasks playbook, and then
that becomes always True in docker-puppet.py.
Related-Bug: #1799914
Change-Id: Ia630f08f553bd53656c76e5c8059f15d314a17c0
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Fixes reported problem of job running only in check and not in gate:
tripleo-ci-centos-7-scenario000-multinode-oooq-container-updates
Change-Id: I7df8d811287c7605b1b406420de1eb17ae555346
Change I222873859af1b4ed1050cfffe55687b2f8d4c528 removed the
RedisVipPort using the {{primary_role_name}} jinja varialble.
The code to get the primary_role_name is no longer necessary.
Closes-Bug: #1808893
Change-Id: Id416786c85a48c598ccc8a9975bb07d7735df218
Currently the curl commands associated with this command run on all
controller nodes of the overcloud. Becuase the ODL URI is always the
same it's actually doing it against the same REST API every time,
causing problems with the optimistic locking ODL uses.
This patch adds extra error information and limits the execution of this
task to only once per playbook (i.e. just one controller).
Change-Id: I75aed2c0f412961c1eed2ff14e039a0baca09e8a
The merge-new-params-nic-config-script.py previosly had the
'Controller' role as the default for --role-name. It is not
obvious that this parameter must be changed when merging
nic config templates.
Remove the default and make the argument required. Improves
UX since user error is less likely.
Making the mistake of using a Role with too many networks
is'nt as forgiving since we now only pass parameters for
the role.networks.
Related-Bug: #1800811
Change-Id: Iff9e364db66ad09a30ac10a7814a3c01d50caf58
As requested during the review of a couple of tripleo-common patches:
https://review.openstack.org/#/c/610629https://review.openstack.org/#/c/626801
We've moved the tripleo-barbican-{vendor} ansible roles to third
party repositories. This patch updates THT to use the new roles.
Change-Id: Ica54f812bbe5e53e771dcfd59004b28f7c7105b0
When upgrading from MySQL 10.1 to 10.3 a bug appears if no
shutdown is being performed, as the redo log format has
changed in version 10.3.2 [0].
Make sure we always stop the MySQL server cleanly before
upgrading to a new version, to avoid redo log issue.
Note: to be idempotent, we need to stop the mysql container
rather than delete it; to be able to stop the container, we
amend the restart policy of the mysql container.
[0] - https://jira.mariadb.org/browse/MDEV-14848
Change-Id: Ia07b7755867858c74c7334424e8e6579ace495db
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
Closes-Bug: #1810136
This is a new service required for sharding containers.
It is disabled by default and can be enabled by setting the
SwiftContainerSharderEnabled to true.
Change-Id: I73119496ca6dd99b2f42f97529ad91273735c848
As healthchecks are using "ss" command, we need to allow contaier_t
to access a tcp diagnostic socket, at least for the port healthchecks.
This follows change I9ebdf09c36fd2c69d05128b584593b41d9144e56, triggered
by the neutron healthchecks. A second pass was necessary in order to
further check the calls of ss.
Change-Id: I27e4c860948667abc2c21df5ec9e01627f58465a
Related-Bug: #1810512